Chapter 4. Configuring IPNAT

4.1. Introduction

Network Address Translation (NAT) is part of IPfilter, which
comes by default with the NetBSD release. The job of NAT is to take a
source IP address and translate it to another out a different network
interface. This is also known as masquerading.

Luckily for you (as the exhausted reader) and I (the exhausted
author) configuring NAT is pretty simple, especially with the example
we are using.

4.2. What Our /etc/ipnat.conf Needs to Look Like

First we are proxying ftp thru the ep0 interface. The next line
says go ahead and map all tcp/udp traffic right on through the
interface and assign each out bound "connection" a port from
10000 to 20000 and finally the last line says, just plain map from
172.16.0.0/16 to 216.68.250.60/32. For our purposes this is all we
need so the rest of this document is of limited interest to those of
you in a crunch trying to get a firewall up.

4.3. Other Nifty Stuff

A few items of interest for the curious, we can also map
into the local network as well:

This might be handy to connect to a specific server inside (such
as a web server) or if you recall the DMZ example in the overview document, we may wish to
translate into the DMZ from the
world. Additionally it can be used as a poor man's router to link
internal networks together - but there are much better was of doing
that.

Instead of this, however, most administrators would locate the
web server within a DMZ and use ipfilter to ensure only http and ssh
connections can be made to the system.

If you look closely you will see all outbound connections map to a single
IP address, what if you wanted to be able to map to more? You can do so
by simply changing the single address to a network:

map ep0 172.16.0.0/16 -> 216.68.250.0/24

Finally, the portmap range can be adjusted to whatever you feel
is necessary.

4.4. IPNAT With Dial Up Networking

Many home users use dial up connections to access the
internet. Many dial up connections are assigned a dynamic IP address
every time the user connects. At first glance it may appear that some
method for putting this new address into
/etc/ipnat.conf is required. Luckily, that is
not so. Take note of how addresses can be shown on the internet side
of the ipnat.conf file. Actually entire subnets
can be used like so:

map ep0 172.16.0.0/16 -> 216.68.0.0/16

What this is saying is that addresses from 172.16.0.0 can be
assigned any address on 216.68.0.0's network. Keeping that in mind, on
a dial up connection you know you will be given one and one address,
so the following entries effectively do the same: